source: fedd/abac-src/ttg/credential/RtmlFrontier.java @ 8780cbec

axis_examplecompt_changesinfo-opsversion-1.30version-2.00version-3.01version-3.02
Last change on this file since 8780cbec was 8780cbec, checked in by Jay Jacobs <Jay.Jacobs@…>, 15 years ago

ABAC sources from Cobham

  • Property mode set to 100644
File size: 11.1 KB
Line 
1package com.nailabs.abac.credential;
2
3import java.util.*;
4
5import com.nailabs.abac.process.FrontierManager;
6import com.nailabs.abac.process.AckPolicy;
7import com.nailabs.abac.process.AckFact;
8import com.nailabs.abac.process.ACPolicy;
9import com.nailabs.abac.process.ResourcePolicy;
10import edu.stanford.peer.rbtm.credential.Entity;
11import edu.stanford.peer.rbtm.credential.EntityExpression;
12import edu.stanford.peer.rbtm.credential.RoleName;
13import edu.stanford.peer.rbtm.credential.SimpleRoleName;
14import edu.stanford.peer.rbtm.credential.StaticCredential;
15import edu.stanford.peer.rbtm.engine.Simp;
16import edu.stanford.peer.rbtm.engine.Sens;
17import edu.stanford.peer.rbtm.engine.Oppo;
18import edu.stanford.rt.credential.*;
19import edu.stanford.rt.parser.RTParser;
20import edu.stanford.rt.util.Constants;
21
22/**
23 * A frontier manager class which uses the application specification
24 * domain for determining whether a rol is issuer traces all, issuer
25 * traces def, etc.
26 */
27public class RtmlFrontier extends FrontierManager implements Constants {
28    protected HashMap discoveryConfig;
29
30    protected ApplicationDomain domain;
31
32    protected CredentialStore store;
33
34    protected RTContext context;
35
36    protected HashID id  = null;
37
38    //protected HashSet issuerTracesAll = new HashSet();
39
40    protected HashSet issuerTraces = new HashSet();
41
42    //protected HashSet issuerTracesDef  = new HashSet();
43
44    protected ResourcePolicy resourcePolicy = null;
45
46    public RtmlFrontier(HashMap config) {
47        String domainName = getApplicationDomainName(config);
48        discoveryConfig = new HashMap(2); // needed for constructing a DDEngine
49        discoveryConfig.put("DDEParser", config.get("DDEParser"));
50        discoveryConfig.put("PrepInfo", config.get("PrepInfo"));
51        discoveryConfig.put("DDEContext", config.get("DDEContext"));
52        store = (CredentialStore)config.get("CredentialStore");
53        context = (RTContext)config.get("RTContext");
54        id = new HashID(HashID.APPLICATION_DOMAIN, domainName);
55        domain = context.getApplicationDomain(id);
56        init(config);
57    }
58
59    /** specialized init method for accessing the credential store backends */
60    public void init(HashMap config) {
61        // (0) get the configurations entity identifier
62        this.self =(Entity) config.get("EntityID");
63       
64        // (1) load acknowledgement(ACK) policy
65        ackPolicy = (AckPolicy)config.get("AckPolicy");
66       
67        // (2) load access control (AC) policy
68        acPolicy = (ACPolicy)config.get("AccessControl");
69        // (2 and 1/2) load the resource policy
70        resourcePolicy = (ResourcePolicy)config.get("ResourcePolicy");
71
72        // (3) load issuer traceable roles
73        // (4) load subject traceale roles
74        parseRoleDeclarations(config);
75
76        // (5) construct sensitive roles predicate from the ack policy
77        Sens sens = new Sens(ackPolicy.getSensitiveRoles());
78
79        // (6) construct opponent predicate from the issuer traceable roles
80        Oppo oppo = new Oppo(new Vector(issuerTracesDef));
81        oppo.addSubjects(new Vector(issuerTracesAll));
82       
83        // TBD: Does this really need to be separated into two mutually
84        //      exclusive credential sets? And in this case we have three
85        //      credential stores (the primordial, issuer-traces, and
86        //      subject-traces).
87       
88        // (8) separate policy reachable credentials
89        // (9) separate self reachable credentials
90        CredentialStore store = (CredentialStore)config.get("CredentialStore");
91        CredentialStore subjectStore = null, issuerStore = null;
92        try {
93            RTParser parser = new RTParser();
94            subjectStore = new CredentialStore(parser);
95            issuerStore = new CredentialStore(parser);
96            Iterator domains = 
97                store.getCredentialDomains().values().iterator();
98            while(domains.hasNext()) {
99                CredentialDomain domain = (CredentialDomain)domains.next();
100                RoleDefinition def = 
101                    (RoleDefinition)domain.roleDefinitionIterator().next();
102                RoleName roleName = 
103                    new SimpleRoleName(def.getHead().getName());
104                if(isIssuerTraceable(roleName)) {
105                    issuerStore.addCredentialDomain(domain.getHashID(),domain);
106                } else {
107                    //if(isSubjectTraceable(roleName)) {
108                    subjectStore.addCredentialDomain(domain.getHashID(),domain);
109                }
110                // It is possible that credential may fall through to here. We
111                // propbably just remove the second if-statement...
112            }
113        } catch (Exception ex) {
114            ex.printStackTrace();
115        }
116
117        // (7) construct the frontier functions with their predicates
118        oppoLocal = new RtmlEngine(issuerStore);
119        System.out.println("------> Sensitive Graph");
120        sensFrontier = new RtmlEngine(subjectStore, sens);
121        System.out.println("------> Opponent Graph");
122        oppoFrontier = new RtmlEngine(issuerStore, oppo);
123        System.out.println("------> Simple Graph");
124        simpFrontier = new RtmlEngine(subjectStore, new Simp());
125
126        // perform credential discovery here
127        DDEngine selfTraceable = discoverSelfTraceable();
128        DDEngine policyTraceable = discoverPolicyTraceable();
129        // TBD: add backwards compatibility check in here if necessary
130        //      which would avoid discovery
131        ((RtmlEngine)oppoLocal).importDomains(policyTraceable);
132        ((RtmlEngine)sensFrontier).importDomains(selfTraceable);
133        ((RtmlEngine)oppoFrontier).importDomains(policyTraceable);
134        ((RtmlEngine)simpFrontier).importDomains(selfTraceable);
135    }
136
137
138    protected String getApplicationDomainName(HashMap config) {
139        Properties props = (Properties)config.get("RTML");
140        return props.getProperty("ApplicationDomain");
141    }
142   
143    protected OrderedMap getRoleDeclarations() {
144        try {
145            return domain.getRoleDeclarations();
146        } catch(Exception ex) {
147            ex.printStackTrace();
148        }
149        return null;
150    }
151
152
153    public DDEngine discoverPolicyTraceable() {
154        Iterator ackValues = ackPolicy.getRequiredRoles().iterator();
155        Iterator acValues = acPolicy.getRequiredRoles().iterator();
156        Iterator resourceValues = resourcePolicy.getRequiredRoles().iterator();
157        DDEngine discoveryEngine = new DDEngine(discoveryConfig);
158        HashSet policySet = new HashSet();
159       
160        while(ackValues.hasNext()) {
161            AckFact ackVal = (AckFact)ackValues.next();
162            policySet.add(ackVal.getRequirement());
163        }
164        while(acValues.hasNext()) {
165            EntityExpression acVal = (EntityExpression)acValues.next();
166            policySet.add(acVal);
167        }
168        while(resourceValues.hasNext()) {
169            EntityExpression resourceVal = 
170                (EntityExpression)resourceValues.next();
171            policySet.add(resourceVal);
172        }
173        Iterator randomRoles = policySet.iterator();
174        while(randomRoles.hasNext()) {
175            EntityExpression random = (EntityExpression)randomRoles.next();
176            discoveryEngine.backwardSearch(random);
177        }
178        return discoveryEngine;
179    }
180
181    public DDEngine discoverSelfTraceable() {
182        HashSet selfSet = new HashSet();
183        Iterator mySensRoles = ackPolicy.getSensitiveRoles().iterator();
184        DDEngine discoveryEngine = new DDEngine(discoveryConfig);
185        //RtmlEngine local = new RtmlEngine(store);
186
187        //find all the credentials which have roles that map directly to self
188        Iterator myRoles = oppoFrontier.findCredentialsBySubject(self);
189        while(myRoles.hasNext()) {
190            RtmlCredential cred = (RtmlCredential)myRoles.next();
191            EntityExpression me = cred.getDefinedRole();
192            selfSet.add(me);
193        }
194        myRoles = sensFrontier.findCredentialsBySubject(self);
195        while(myRoles.hasNext()) {
196            RtmlCredential cred = (RtmlCredential)myRoles.next();
197            EntityExpression me = cred.getDefinedRole();
198            selfSet.add(me);
199        }
200        //add the sensitive roles to the initial search set
201        while(mySensRoles.hasNext()) {
202            EntityExpression sense = (EntityExpression)mySensRoles.next();
203            selfSet.add(sense);
204        }
205        //perform forward searches on the pseudo-random set of roles
206        Iterator randomRoles = selfSet.iterator();
207        while(randomRoles.hasNext()) {
208            EntityExpression random = (EntityExpression)randomRoles.next();
209                discoveryEngine.forwardSearch(random);
210        }
211        return discoveryEngine;
212    } 
213
214
215    protected void parseRoleDeclarations(HashMap config) {
216        // TBD: revisit to make this more robust in case an error occurs.
217        //      it should not necessarily bail out of all role processing
218        try {
219            OrderedMap map = getRoleDeclarations();
220            Iterator keys = map.keyIterator();
221            System.out.println("Frontier parsing role declaratons");
222            while(keys.hasNext()) {
223                RoleDeclaration role = (RoleDeclaration)map.get(keys.next());
224                System.out.println("role = " + role.getName());
225                parseRoleDeclaration(role);
226                System.out.println();
227            }
228        } catch(Exception ex) {
229            ex.printStackTrace();
230        }
231        System.out.println("End declaration parsing!");
232        config.put("IssuerTracesAll", issuerTracesAll);
233        config.put("IssuerTracesDef", issuerTracesDef);
234        config.put("SubjectTraceable", subjectTraces);
235    }
236
237    protected void parseRoleDeclaration(RoleDeclaration declaration) {
238        int issuerValue = declaration.getIssuerTracesType();
239        int subjectValue = declaration.getSubjectTracesType();
240
241        if(issuerValue == ISSUER_TRACES_ALL) {
242            issuerTracesAll.add(declaration.getName());
243            System.out.print("issuer_traces_all");
244        } 
245        if(issuerValue == ISSUER_TRACES_DEF) {
246            issuerTracesDef.add(declaration.getName());
247            System.out.print("issuer_traces_def");
248        }
249        if(subjectValue == SUBJECT_TRACES_ALL) {
250            subjectTraces.add(declaration.getName());
251            System.out.print("subject_traces_all");
252        }
253    }
254
255    private RoleDeclaration getRoleDeclaration(RoleName role) {
256        try {
257            System.out.println("id = " + id);
258            return domain.lookupRoleDeclaration(role.getName());
259        } catch(Exception ex) {
260            ex.printStackTrace();
261        }
262        return null;
263    }
264
265    /** Is the specified credential policy traceable? */
266    public boolean isPolicyTraceable(StaticCredential cred) {
267        return isIssuerTraceable(cred.getDefinedRole().getName());
268    }
269
270    /** Can the specified credential be traced back to this negotiator? */
271    public boolean isSelfReachable(StaticCredential cred) {
272        return isSubjectTraceable(cred.getDefinedRole().getName());
273    }
274
275    public boolean isIssuerTraceable(RoleName role) {
276        int value = getRoleDeclaration(role).getIssuerTracesType();
277        return (value == ISSUER_TRACES_ALL || value == ISSUER_TRACES_DEF);
278    }
279
280    public boolean isIssuerTracesAll(RoleName role) {
281        int value = getRoleDeclaration(role).getIssuerTracesType();
282        return (value == ISSUER_TRACES_ALL);
283    }
284
285    public boolean isIssuerTracesDef(RoleName role) {
286        int value = getRoleDeclaration(role).getIssuerTracesType();
287        return (value == ISSUER_TRACES_DEF);
288    }
289
290    public boolean isSubjectTraceable(RoleName role) {
291        int value = getRoleDeclaration(role).getSubjectTracesType();
292        return (value == SUBJECT_TRACES_ALL);
293    }
294     
295    public boolean subjectTracesAll(RoleName role) {
296        int value = getRoleDeclaration(role).getSubjectTracesType();
297        return (value == SUBJECT_TRACES_ALL);
298    }
299           
300
301}
Note: See TracBrowser for help on using the repository browser.